User-Groups

From SME Server

Jump to: navigation, search

ASSUMPTIONS:
SMESERVER is setup as a domain controller.
You understand a domain controller and server-client computer setup.
You understand classical USER GROUPS: http://www.kellys-korner-xp.com/xp_groups.htm


PROBLEM 1:
When you login to a client computer (ie. winxp) the users are automatically limited for security reasons. The group USERS can't make changes, install software, etc. The idea is that users can USE the client computer but system-admins ADMINISTRATE the client computer. Changes can't be made unless it's by a ADMIN. Most admins love this. Especially anyone who tries to run a public/shared computer area.

But in certain cases this may cause problems running software or may not be enough permissions for an organization. Some organizations may want to give more permissions to allow these types of changes.


HOWTO FIX:
To change this, a SMESERVER group (also known as a samba group) can be mapped to Microsoft Windows NT4/200x/XP groups easily (very cool). If you don't know what USER GROUPS are, see the link at the top of this article.

  • you can view a current list of 'built-in' groups with: net groupmap list
  • create a new group (with the server-manager)
  • for the "description" put in your chosen group from the groupmap list

Here is the output of my: net groupmap list:

System Operators (S-1-5-32-549) -> -1

Replicators (S-1-5-32-552) -> -1

Guests (S-1-5-32-546) -> -1

Domain Users (S-1-5-21-4260205169-3070811950-2777133871-513) -> shared

Power Users (S-1-5-32-547) -> -1

Domain Admins (S-1-5-21-4260205169-3070811950-2777133871-512) -> ntadmins

Print Operators (S-1-5-32-550) -> -1

Administrators (S-1-5-32-544) -> -1

Domain Guests (S-1-5-21-4260205169-3070811950-2777133871-514) -> nobody

Account Operators (S-1-5-32-548) -> -1

Local Administrator (S-1-5-21-4260205169-3070811950-2777133871-1203) -> admin

Backup Operators (S-1-5-32-551) -> -1

Users (S-1-5-32-545) -> -1

Since I want to allow people to make changes I created a group called POWERUSERS and for the description I put in "Power Users" . Finally, I add people to the POWERUSERS group. They can now make changes.

For more info:
man net
net groupmap


Give admin rights to a user, so he can Join computers to the SME-Server

This part of the Howto is a procedure that the user cactus gave us in this thread [1]

Problem

You need to delegate another user that can join Windows machines in the domain,that is not the "admin "user, this helps a lot to secure the access of the co-administrators to the servers.

Steps

  • Create a group called "ntadmins" with the description "Domain Admins" in the server-manager.
  • Plese make the user(s) that will be with domain administrators right, join the group "ntadmins"


Then in the console:

  • Create the custom templates directory: 
mkdir -p /etc/e-smith/templates-custom/etc/smb.conf/
  • Copy the template fragment into the new location: 
cp /etc/e-smith/templates/etc/smb.conf/11adminUsers /etc/e-smith/templates-custom/etc/smb.conf/
  • Use your favourite editor to change the content to point to your Domain Administrator group defined in the server-manager, e.g. like so: 
admin users = @ntadmins

Note The @ sign means that this is a group and not a user.

  • Expand your smb.conf file: 
expand-template /etc/samba/smb.conf
  • Reload samba: 
service smb restart
Retrieved from "http://wiki.contribs.org/User-Groups"
Personal tools